RSA Authentication with SSH on Picture Perfect 2.0 and 4.0
This paper describes how to use RSA authentication to
perform secure non-interactive file transfers from Picture Perfect hosts to external systems, and
configure the Picture Perfect server to require all remote users to authenticate using RSA, thereby eliminating the exchange of system passwords over the network.
It is assumed that Telnet and FTP have already been disabled and that SSH protocol is the only means for remotely accessing Picture Perfect.
For the examples below, the Picture Perfect server, pphost, is at IP 10.1.1.2 and the remote server is at IP 10.1.1.3. We also assume that the remote system runs a Linux distribution and that the you do not have access to a shell account on the remote system (which requires the cooperation of the remote system's administrator).
8. At this point, if you try to ssh or scp to the remote system, you will still be prompted for a pass phrase:
Since this needs to be installed as root, exit your "su ppuser" session.
9. Download and install the latest version of keychain from Aron Griffis' Home Page
After the keychain is installed, switch users to ppuser again and add the following lines to ppuser's .bash_profile:
10. Then log in again as ppuser.
2. Edit the file /etc/ssh/sshd_config.
3. Enforce DSA authentication only by ensuring that only SSH Protocol 2 is used:
It is assumed that Telnet and FTP have already been disabled and that SSH protocol is the only means for remotely accessing Picture Perfect.
Non-interactive File Transfers
It is sometimes necessary to use a secure file transfer connection that does not require a password.For the examples below, the Picture Perfect server, pphost, is at IP 10.1.1.2 and the remote server is at IP 10.1.1.3. We also assume that the remote system runs a Linux distribution and that the you do not have access to a shell account on the remote system (which requires the cooperation of the remote system's administrator).
On the Remote Host
1. Ensure that the OpenSSH Secure Shell daemon sshd is enabled and running:/sbin/chkconfig sshd on /sbin/service sshd start
On the Picture Perfect Host
1. Log in as root and create the user account:useradd ppuser2. Switch users to the newly created account:
su – ppuser3. Create the .ssh directory and change its permissions to drwx------.
mkdir .ssh chmod 700 .ssh4. Change to the .ssh directory and create the private/public key pair. This is an interactive utility.
cd .ssh ssh-keygen -t dsa5. The system will prompt for a file name and twice for a pass phrase. Enter and re-enter your secure passphrase. Do not use an empty password.
Enter passphrase (empty for no passphrase): ******** Enter same passphrase again: ******** Your identification has been saved in /home/ppuser/.ssh/id_dsa. Your public key has been saved in /home/ppuser/.ssh/id_dsa.pub. The key fingerprint is: 88:8a:65:be:a8:11:cf:97:94:64:f5:92:3c:fb:78:8a ppuser@pphost6. If you list the contents of the directory, you will see the private and public keys (id_dsa and id_dsa.pub respectively).
ls -la total 16 drwx------ 2 ppuser ppuser 4096 Sep 9 11:19 . drwx------ 3 ppuser ppuser 4096 Sep 9 11:08 .. -rw------- 1 ppuser ppuser 883 Sep 9 11:19 id_dsa -rw-r--r-- 1 ppuser ppuser 225 Sep 9 11:19 id_dsa.pub7. Securely copy the public key file to the remote server, supplying the password provided by the remote administrator when prompted. Type y when prompted to verify the authenticity of the remote host.
scp –p id_dsa.pub 10.1.1.3: The authenticity of host '10.1.1.3 (10.1.1.3)' can't be established. RSA key fingerprint is de:db:36:5f:23:42:cf:36:fb:4e:86:26:9a:02:2b:63. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.1.1.3' (RSA) to the list of known hosts. ppuser@10.1.1.3's password: ******** id_dsa.pub 100% 605 0.6KB/s 00:00
On the Remote Host:
1. As root, switch users to ppuser.su – ppuser2. Install ppuser's public key which was just copied from the Picture Perfect host.
[ ! -d .ssh ] && mkdir .ssh chmod 700 .ssh cd .ssh cat ../id_dsa.pub >> authorized_keys chmod 600 authorized_keys rm –f ../id_dsa.pub3. Change ppuser's password to something that only you know. This effectively prevents the remote user from logging in with a password. You can also enforce this by editing the /etc/ssh/sshd_config file, however, such a change has system-wide effects. The last section of this paper describes how to disable passwords over SSH.
On the Picture Perfect Host
8. At this point, if you try to ssh or scp to the remote system, you will still be prompted for a pass phrase:
[ppuser@pphost ~]$ ssh 10.1.1.3 Enter passphrase for key '/home/ppuser/.ssh/id_dsa': ********* [ppuser@10.1.1.3 ~]$Of course, this isn't exactly passwordless. Unattended file transfers would always require someone to provide a pass phrase. To eliminate pass phrases, use the keychain package.
Since this needs to be installed as root, exit your "su ppuser" session.
9. Download and install the latest version of keychain from Aron Griffis' Home Page
After the keychain is installed, switch users to ppuser again and add the following lines to ppuser's .bash_profile:
UQDN=$(expr `hostname` : '\([A-Za-z0-9_\-]\+\).*$')
/usr/bin/keychain ~/.ssh/id_dsa
source ~/.keychain/${UQDN}-sh >/dev/null
Log completely off of the Picture Perfect system. 10. Then log in again as ppuser.
Last login: Thu Aug 30 13:14:14 2007 from machine.mydomain.com KeyChain 2.6.8; http://www.gentoo.org/proj/en/keychain/ Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL * Found existing ssh-agent (29517) * Known ssh key: /home/ppuser/.ssh/id_dsaIf configured correctly, a password will not be required when ppuser initiates an upload to the remote system from Picture Perfect. Verify this by typing:
cd echo REMOVE >remove.me scp remove.me ppuser@10.1.1.3: remove.me 100% 1702KB 1.7MB/s 00:00
RSA Authentication on Picture Perfect Hosts
Now that you have seen how to setup an outbound connection, it is extremely simple to configure a user account to use RSA authentication.On the Picture Perfect Host
1. Instruct users on remote client computers that they need to generate DSA keys and add the public keys to their .ssh/authorized_keys files on the Picture Perfect host.2. Edit the file /etc/ssh/sshd_config.
3. Enforce DSA authentication only by ensuring that only SSH Protocol 2 is used:
Protocol 24. Disable the use of passwords with SSH. Ensure that the following parameters are set:
PasswordAuthentication no ChallengeResponseAuthentication no5. Enable RSA authentication. Ensure that the following parameter is set:
RSAAuthentication yes6. Ensure that the OpenSSH Secure Shell daemon sshd is enabled and running:
/sbin/chkconfig sshd on /sbin/service sshd startFrom this point forward, access will only be permitted if the client uses RSA authentication.
